question

LimerickDude-2591 avatar image
0 Votes"
LimerickDude-2591 asked GitaraniSharmaMSFT-4262 answered

IIS &Auto Rebind

Hi Guys,

I have the below setup;

Application Gateway sits in front of a backend IIS Server ( Windows Server 2016) which is running the Azure KeyVault Extension for Windows & has Automatic Rebind of Certificates Enabled in IIS. So the scenario is the App GW & VM Certificate are pulled from the keyvault when rekeyed (after the polling interval) the App GW updates the cert correctly, the cert goes into the Certificate Store on the Server (Personal). The Cert on the VM does not update in the bindings in IIS but when I go to the webserver it is using the New rekeyed certificate.

Any idea what needs to happen to make it reflect the new cert in the IIS Bingings?

Cheers,
LD.

windows-server-iisazure-key-vaultazure-application-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
2 Votes"
GitaraniSharmaMSFT-4262 answered

Hello @LimerickDude-2591 ,

Apologies for the delay in response.

The auto rebinding on the VM IIS Server would unfortunately not work as it relies on the Event ID which is created in the Event Viewer for the Certificate enrollment and renewal on MMC and the sources which are mentioned for the event ID to be created is all done manually and not through VM extensions.

You can refer similar issues below:
https://docs.microsoft.com/en-us/answers/questions/677497/index.html
https://stackoverflow.com/questions/65791567/azure-keyvault-extention-is-not-updating-the-ssl-bindings-in-iis-but-client-is-a

Hence, for the VM IIS server you would need to manually do the SSL binding. I've internally confirmed this with the support team.

There is another possibility of using Azure Web App to achieve the same, where you would migrate from the VM IIS to one of the PAAS Services (web app) and where the automation of the certificate is a 100 percent.

Create a webapp, add the custom domain there and select the Certificate from the Key Vault for installing and then the SSL binding. And when the certificate is renewed in Key Vault, the SSL binding also gets updated automatically with the new certificate.

Below is the article for your reference on this scenario:
https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.